In this chapter you configure Exchange and Cisco Unity Connection so users can create personal call transfer rules using Exchange calendar and contact information. This allows Connection users to create rules based on who is calling and on the appointments in their calendars. When you are finished with this chapter, return to "Overview of Mandatory Tasks for Installing a Cisco Unity Connection 1.x System."

Note that you will also need to confirm—and, if necessary, modify—a class-of-service setting, and create an external service account for each Connection user who is allowed to base personal call transfer rules on Exchange calendar and contact information. You will be directed to the applicable documentation later in the overview task list.

Note The tasks in the list reference detailed instructions in the Cisco Unity Connection Installation Guide and in other Cisco Unity Connection documentation. Follow the documentation for a successful installation.

Step 3 In the left pane, expand the domain in which you want to create the account, right-click Users or the organizational unit where you want to create the account, and click New > User.

Step 4 Follow the on-screen prompts to create the service account, choosing the following options:

•When you choose password options, choose the option that prevents the password from expiring. If the password expires, Connection will stop working the next time the server is restarted.

•Do not create an Exchange mailbox.

Step 5 Close Active Directory Users and Computers.

Granting Exchange Permissions to the AD Service Account

To enable the Active Directory service account to access Exchange data, you delegate Exchange View Only Administrator control to the account, and you grant the account Administer Information Store, Send As, and Receive As permissions.

You can delegate control either at the organization level or at the administrative group level. If you delegate control at the administrative group level, you must delegate control in every administrative group that contains the following mailstores:

•An Exchange mailstore from which you want Connection users to be able to import contacts.

•An Exchange mailstore in which you want Connection to be able to access Exchange calendar data.

To Grant Exchange Permissions to the Service Account

Step 1 On a server on which Exchange System Manager is installed, log on to Windows by using an account that is an Exchange Full Administrator.

Step 3 In the left pane of Exchange System Manager, right-click either the organization name at the top of the tree control or an administrative group that contains mailstores in which you want to access calendar and contact data, and click Delegate Control.

b. In the list of users, computers, and groups, double-click the name of the service account.

The Delegate Control dialog box reappears. The account you selected appears in the Group (Recommended) or User box.

Step 8 In the Role list, click Exchange View Only Administrator.

Step 9 Click OK to close the Delegate Control dialog box.

Step 10 Click Next.

Step 11 Click Finish.

Step 12 If you selected the organization name at the top of the tree control in Step 3, skip to Step 13.

If you selected an administrative group in Step 3 and you want to access calendar and contact data in mailstores in other administrative groups, repeat Step 3 through Step 11 for each administrative group.

Step 13 In the left pane of Exchange System Manager, right-click the name of a mailbox store that contains mailboxes in which you want to access calendar and contact data, and click Properties.

If you do not create and install SSL certificates, Connection may still send service account credentials in an encrypted format, depending on whether you have configured one or more authentication schemes in Exchange. However, the available Exchange authentication schemes encrypt only the user name and password, not calendar and contact data, and Exchange documentation indicates that the available schemes provide varying degrees of security. We recommend that you create and install SSL certificates.

Caution Cisco Unity Connection does not support Passport authentication.

If you use another method to create and install certificates, use the applicable documentation.

This section contains four procedures. Do them in the order listed.

Do the following procedure on any server in the same domain as the Exchange servers that contain calendar and contact data that you want Connection users to be able to access.

To Install the Microsoft Certificate Services Component

Step 1 Locate either a Windows Server 2003 disc or the Cisco Unity Connection disc, which you may be prompted to insert into the DVD drive to complete the installation of the Microsoft Certificate Services component.

Step 2 Log on to Windows by using an account that is a member of the local Administrators group.

Step 9 On the CA Identifying Information page, in the Common Name for This CA field, enter a name for the certification authority.

Step 10 Accept the default value in the Distinguished Name Suffix field.

Step 11 For Validity Period, accept the default value of 5 years.

Step 12 Click Next.

Step 13 On the Certificate Database Settings page, click Next to accept the default values.

If a message appears indicating that Internet Information Services is running on the computer and must be stopped before proceeding, click Yes to stop the services.

Step 14 If you are prompted to insert the Windows Server 2003 disc into the drive, insert either the Cisco Unity Connection disc, which contains the same required software, or a Windows Server 2003 disc.

Step 29 If Microsoft Certificate Services is on another server and you were not able to save the certificate request file in a network location accessible to that server, copy the certificate request file to a removable medium (diskette, CD, or DVD).

Step 30 Repeat Step 1 through Step 29 to create a certificate signing request for each additional Exchange server that contains calendar and contact data that you want Connection users to be able to access.

Step 31 If you are not using an external certification authority, you are finished with this procedure.

If you are using an external certification authority, send the certificate request files to the CA. When the certificates return from the CA, skip to the "To Install the Certificate" procedure.

Do the following procedure for each Exchange server that contains calendar and contact data that you want Connection users to be able to access.

To Issue the Certificate (Only When You Are Using Microsoft Certificate Services to Issue the Certificate)

Step 1 On the server on which you installed Microsoft Certificate Services, log on to Windows by using an account that is a member of the Domain Admins group.

Step 16 In the Save As dialog box, choose a location and enter a file name.

If this is not a server on which Internet Information Services Manager is installed, try to choose a network location that you can access from the current server and from the server on which Microsoft Certificate Services is installed.

Step 17 Write down the path and file name. You will need it in a later procedure.

Step 25 If Internet Information Services Manager is on another server and you were not able to save the certificate request files in a network location accessible to that server, copy the certificate request files to a removable medium (diskette, CD, or DVD).

Do the following procedure for every Exchange server that contains calendar and contact data that you want Connection users to be able to access.

Step 16 Repeat Step 1 through Step 15 for each certificate that you want to install.

Creating Connection External Services to Specify the Exchange Servers That Users Can Access

In Cisco Unity Connection Administration, you create and configure one WebDav external service for each Exchange server that contains calendar and contact data that you want Connection users to be able to access.

To Create Connection External Services to Specify the Exchange Servers That Users Can Access

Step 4 In the Display Name field, enter a name that will help you identify the service when you configure Connection users to access their calendar and contact information. (For example, in the name of the service, you might include the name of the Exchange server that contains the calendar and contact data users are accessing.)

Step 5 In the Server Base URL field, enter the URL for the Exchange server that contains calendar and contact data that you want Connection users to be able to access. Use the format https://<Exchange server>/Exchange/ where <Exchange server> is the computer name, the fully qualified domain name, or the IP address of the Exchange server.

To make the Cisco Unity Connection server trust the certificates for the Exchange servers, you need to add the certification authority's signing certificate to the root certificate store for the Connection server.

Step 4 Right-click the name of the certification authority, and click Properties.

Step 5 In the <Certification authority name> Properties dialog box, on the General tab, in the CA Certificates list, click the name of one of the certificates that you created for the Exchange servers.

Step 6 Click View Certificate.

Step 7 In the Certificate dialog box, click the Details tab.

Step 8 Click Copy to File.

Step 9 On the Welcome to the Certificate Export Wizard page, click Next.

Step 19 Copy the certificate export file that you specified in Step 12 to the Connection server, and save it in the Utilities directory on the drive where Connection software is installed (usually drive G).

Do the following procedure on each Exchange server so that if a Connection administrator accidentally specifies an http URL when updating the list of Exchange servers that users can access, any attempt to transfer unencrypted Exchange data will fail. However, note that this is a global setting. For every Exchange server on which you have done this procedure, all web clients that access Exchange data on that server will be required to use an https URL.

Synchronizing the Clock on the Cisco Unity Connection Server with the Clock on a Domain Controller

Personal call transfer rules that are based on calendar data require that the system clocks be synchronized for the Cisco Unity Connection server and all of the Exchange servers on which Connection is accessing calendar data.

If you already have a method for synchronizing system clocks, synchronize the clock on the Connection server by using the same method. If not, do the procedure in this section to configure the Connection server and all of the Exchange servers on which Connection is accessing calendar data to synchronize the system clock with the system clock on a domain controller.

Caution If the time on the Connection server does not match the time on Exchange servers on which calendar data is being accessed, personal call transfer rules that are based on calendar data will route calls incorrectly.

To Synchronize the Clock on the Cisco Unity Connection Server with the Clock on a Domain Controller

Step 1 With the IT manager, determine the domain controller with which you should synchronize system clocks.

Step 2 On the Connection server, log on to Windows by using an account that is a member of the local Administrators group